Singh, Sukhjeet wrote:
>
> The server allows capture of the HTTP service banner. Service banners
> can contain sensitive information, such as application and Operating
> System (OS) version numbers. An attacker can use the version information
> from your Web server to determine if there are any known vulnerabilities
> present, or can use such information to create attacks towards the
> specific application or OS.
>
> SSL HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4;
> JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA
> date=200807181417)/JBossWeb-2.0 ETag: W/1570-1216412442000
> Last-Modified: Fri, 18 Jul 2008 20:20:42 GMT Content-Type: text/html
> Content-Length: 1570 Date: Wed, 11 Mar 2009 02:11:24 GMT
Repeat noise, you get noise in response. Exploits are rarely sophisticated
in their attack. They will probe for vulnerable URI's until they achieve
success. You can cloak your Tomcat as IIS, your IIS as Apache or your httpd
as whatever and it won't matter one iota.
But no matter, "there's a directive for that"(TM)[1]. See
http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
Sadly, this information is useless to you. This is not an httpd issue,
it's a JBoss issue. Take it to their user forum. This is not a JBoss
support forum.
[1] "there's a directive for that" is a Trademark of the Apache Software
Foundation, created by the Apache httpd Project. :)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|